---
title: Configuring Casdoor Authentication Service in LobeChat
description: >-
  Learn how to configure the Casdoor authentication service in LobeChat,
  including deployment, creation, permission settings, and environment
  variables.
tags:
  - Casdoor Authentication
  - Environment Variable Configuration
  - Single Sign-On
  - LobeChat
---

# Configuring Casdoor Authentication Service

[Casdoor](https://github.com/casdoor/casdoor) is an open-source authentication service that is rich in features and easy to use.

<Callout type={'tip'}>
  If you want to privately deploy Casdoor, we recommend using Docker Compose to deploy it together
  with the LobeChat database version, allowing LobeChat to share the same Postgres instance.
</Callout>

## Casdoor Configuration Process

If you are deploying using a local network IP, the following assumptions apply:

- Your LobeChat database version IP/port is `http://LOBECHAT_IP:3210`.
- You privately deploy Casdoor, and its domain is `http://CASDOOR_IP:8000`.

If you are deploying using a public network, the following assumptions apply:

- Your LobeChat database version domain is `https://lobe.example.com`.
- You privately deploy Casdoor, and its domain is `https://lobe-auth-api.example.com`.

<Steps>

### Create a Casdoor Application

Access your privately deployed Casdoor WebUI (default is `http://localhost:8000/`) to enter the console. The default account is `admin`, and the password is `123`.

Go to `Authentication` -> `Applications`, create a `LobeChat` application or directly modify the built-in `built-in` application. You can explore other fields, but you must configure at least the following fields:

- Name, Display Name: `LobeChat`
- Redirect URLs:
  - Local Development Environment: `http://localhost:3210/api/auth/callback/casdoor`
  - Local Network IP Deployment: `http://LOBECHAT_IP:3210/api/auth/callback/casdoor`
  - Public Network Environment: `https://lobe.example.com/api/auth/callback/casdoor`

There are also some optional fields that can enhance user experience:

- Logo: `https://lobehub.com/icon-192x192.png`
- Form CSS, Form CSS (Mobile):

```html
<style>
  .login-panel {
    padding: 40px 70px 0 70px;
    border-radius: 10px;
    background-color: #ffffff;
    box-shadow: rgba(17, 12, 46, 0.15) 0px 48px 100px 0px;
  }
  .panel-logo {
    width: 64px;
  }
  .login-logo-box {
    margin-top: 20px;
  }

  #parent-area
    > main
    > div
    > div.login-content
    > div.login-panel
    > div.login-form
    > div
    > div
    > button {
    box-shadow: none !important;
    border-radius: 10px !important;
    transition-property: all;
    transition-timing-function: cubic-bezier(0.4, 0, 0.2, 1);
    transition-duration: 150ms;
    border: 1px solid #eee !important;
  }

  @media (max-width: 640px) {
    .login-panel {
      padding: 40px 0 0 0;
      box-shadow: none;
    }
  }
</style>
```

Then, copy the `Client ID` and `Client Secret` and save them.

### Configure Environment Variables

Set the obtained `Client ID` and `Client Secret` as `AUTH_CASDOOR_ID` and `AUTH_CASDOOR_SECRET` in the LobeChat environment variables.

Configure `AUTH_CASDOOR_ISSUER` in the LobeChat environment variables as follows:

- `http://localhost:8000/` if you are in a local development environment.
- `http://CASDOOR_IP:8000/` if you are privately deploying Casdoor in a local network.
- `https://lobe-auth-api.example.com/` if you are deploying Casdoor in a public network environment.

When deploying LobeChat, you need to configure the following environment variables:

| Environment Variable | Type | Description |
| --- | --- | --- |
| `NEXT_AUTH_SECRET` | Required | A key for encrypting Auth.js session tokens. You can generate a key using the command: `openssl rand -base64 32`. |
| `NEXT_AUTH_SSO_PROVIDERS` | Required | Select the single sign-on provider for LobeChat. Fill in `casdoor` for using Casdoor. |
| `AUTH_CASDOOR_ID` | Required | The client ID from the Casdoor application details page. |
| `AUTH_CASDOOR_SECRET` | Required | The client secret from the Casdoor application details page. |
| `AUTH_CASDOOR_ISSUER` | Required | The OpenID Connect issuer for the Casdoor provider. |
| `NEXTAUTH_URL` | Required | This URL specifies the callback address for Auth.js during OAuth verification and needs to be set only if the default generated redirect address is incorrect. `https://lobe.example.com/api/auth` |

<Callout type={'tip'}>
  Visit [📘 Environment Variables](/docs/self-hosting/environment-variables/auth#casdoor) for
  details on related variables.
</Callout>

</Steps>

<Callout type={'info'}>
  Once deployed successfully, users will be able to authenticate via Casdoor and use LobeChat.
</Callout>
